The curious case of internet filtering in Ireland

[Reblogged from the new website MediaLaws.eu, where I will be contributing updates from Ireland.]

One of the most important developments for freedom of expression online has been the growth of internet filtering systems, which have rapidly been adopted by national governments as the “solution” to various forms of internet wrongdoing. Ireland is no exception to this trend, and last month it was revealed that the Garda Síochána (the national police force) is now attempting to introduce a system whereby ISPs would block access to websites alleged to host child abuse images.

It is somewhat ironic that this news becomes public just as both Germany and the Netherlands have decided to abandon similar systems, having found that they are ineffective as a means of tackling child abuse images. Even leaving aside considerations of effectiveness, however, the proposed Irish system still presents a number of significant concerns.

A fundamental principle under Article 10 of the European Convention on Human Rights is that measures which have the effect of restricting freedom of expression must be “prescribed by law”. In this case, however, the Irish system would not have any legal basis whatsoever, much less any judicial oversight or control. Instead, it would involve the police in telling ISPs what domains to block on a “self-regulatory” basis. Consequently, it would seem on the face of it that the proposed system would violate Article 10. The European Commission recently reached the same conclusion about self-regulatory blocking systems (p.30) as did a government study which was decisive in causing the Dutch blocking system to be abandoned.

A further problem relates to the secret manner in which the government and the police have attempted to introduce this system. There has been no public consultation or debate of any kind regarding blocking – instead, information has only dripped out in response to freedom of information requests and leaks from ISPs. This is particularly worrying given that (as Lessig points out) internet filtering is an inherently opaque process, which is prone to operating in an unaccountable way and to being extended beyond its original purposes. In the Irish context, the secrecy surrounding the introduction of filtering doesn’t bode well for the future.

The nature of the proposed blocking is also worrying. What Irish police have suggested is based on the CIRCAMP model, which attempts to block material by using DNS tampering. In short, the police would notify ISPs to block http://example.com or http://subdomain.example.com and the ISP would then configure their DNS servers to redirect all attempts to visit any material hosted on those (sub)domains. The effect would be massive overblocking, where users would be unable to visit any page hosted on a particular domain, irrespective of whether it had any connection whatsoever with the blocked material. Last February, a similar approach in the United States saw over 84,000 innocent websites being wrongfully blocked, and there is no reason to think that the Irish approach would be any more precise.

Finally, one particularly unusual aspect of the proposals is the way in which police seek to introduce monitoring of users. According to the proposals, where a user attempts to view a blocked domain name, police would “obtain details of other websites visited by the user, along with other technical details, in order that [they] can identify any new websites that require blocking”. This in effect seeks the full browsing history of users – whether or not there has been any attempt on their part to view child pornography! (Bearing in mind that DNS tampering results in massive overblocking, it is quite likely that a user may have their browsing history disclosed due to an attempt to visit http://example.com/innocent_content when the entirety of example.com has been blocked due to a single image or page elsewhere in the site.) This raises fundamental privacy and data protection concerns, particularly given that a user can often be identified by viewing their browsing history (e.g.), and has therefore been referred to the Data Protection Commissioner for investigation.

Given these problems, it must be hoped that these proposals are abandoned. But quite apart from these particular proposals, it is now also time to look at the other systems of internet filtering in Ireland that have developed on an ad hoc basis. In particular, Irish mobile phone companies have been engaged in self-regulatory blocking for some time (1|2), in a manner which often affects innocent users due to crude DNS systems. Similarly, the largest Irish broadband provider Eircom recently settled an action brought by the music industry by (amongst other things) agreeing to block access to The Pirate Bay and “related domain names”. These systems have developed without any real public scrutiny or oversight and it is time to consider the effect which they have on users, whether they are subject to adequate transparency and oversight mechanisms and whether or not they are effective at achieving their goals.

Data breach law in Ireland - the current state of play

I had a very interesting morning at McCann Fitzgerald who were kind enough to invite me in to give a legal update on data breaches - here's a copy of the handout I provided:Lessons from laptop loss: Legal consequences where organisations lose personal data

Irish Press Council now taking online only sites as members

The Press Council published its annual report for 2010 yesterday. It details some interesting cases (1|2) involving reporting which reuses material from social networking sites and blogs, but more importantly for Irish websites the launch also revealed that the Press Council is now taking online only media as members.

From the Irish Times:

With the increase in news gathering and reporting increasing on the internet, chairman of the Press Council Daithí Ó Ceallaigh said web-based organisations or publications could benefit by joining its independent regulatory regime.

“When this happens – and at least one new web-based organisation has already been accepted as one of the recent new members of the council – we are ready to play a positive role in light of our own experience in support of the highest possible journalistic standards.”

This is a significant development. Membership of the Press Council and adherence to its Code of Practice offers periodicals a significant benefit in establishing a defence of fair and reasonable publication on a matter of public interest. The narrow definition of "periodical" in the Defamation Act 2009, however, created doubt as to whether an online-only publication would qualify for membership.

Eoin O'Dell took the view that it wouldn't (a view which I shared) though the last Minister for Justice later took a contrary view, claiming that:

The question of whether publications existing "on-line" only, either now or in the future, wish to come under the umbrella of the Press Council - and abide by its code of practice - is a matter for those publications. Nothing in the Defamation Act precludes this. Neither have I noticed any express limitation of jurisdiction in the Articles of Association of the Press Council on membership by on-line publications. Some recent commentary from media experts seems to have missed this point.

The Press Council itself has now clearly taken the position that online-only periodicals are eligible for membership, which will certainly cause a number of Irish websites to consider joining.

One note of caution, however: it will ultimately be for a court to determine whether an online-only site is a "periodical" for the purposes of the defence of fair and reasonable publication. The views of the Press Council on this point will be relevant but certainly not conclusive.

Consultation on implementation of Telecoms Reform Package

There are just a few days left if you wish to comment on the Department of Communications proposals for implementation of the Telecoms Reform Package.

While there's quite a lot contained in the five sets of proposed regulations, the portions of most interest to me are the proposals regarding the revised E-Privacy Directive (.doc) which will implement a requirement for data breach notification along with new rules regarding cookies.

Curiously enough, there hasn't been much public debate in Ireland about the impact of the new rules regarding cookies - unlike the UK, where a similar implementation (which essentially copies and pastes text directly from the Directive) has been particularly controversial. This may be because the proposed Irish text is more business friendly in explicitly stating that browser settings can be used to show that users consent to cookies. However, it's still not entirely clear from the draft regulations whether this means that the technically unsavvy user will be taken to have consented where they fail to adjust their browser settings from what is (usually) the default "accept all cookies" option. (The Article 29 Working Party, for example, have taken the view that failure to adjust default settings does not amount to an affirmative consent.)

Update: The Department has now confirmed that it has extended the deadline for submissions to 15 April.

Analysis of the new Data Retention Act

Ronan Lupton (barrister and also chair of Irish telecom industry body ALTO) has written a particularly useful and well informed analysis of the impact of the new Data Retention Act on Irish law and has been kind enough to allow me to mirror it here:

The Internet in Society: Empowering or Censoring Citizens?

This video by RSA Animate is a superb visualisation of Evgeny Morozov's recent book The Net Delusion on cyber-utopianism and the impact of the internet on fundamental freedoms. While I don't agree with his overall conclusions, his cyber-realist argument is certainly a welcome corrective to a media tendency to believe in technological determinism and the inevitable spread of freedom via Facebook. His pessimistic views on the crowd-sourcing of surveillance and censorship are particularly insightful and present an interesting challenge for advocates of free speech online.

Impact of the Programme for Government

Daithi MacSithigh has written an excellent post on the new Programme for Government and what it means for technology law and policy in Ireland. There are some particularly interesting commitments on broadband, fair use and cloud computing, while filesharing gets a mention but without any detail as to what the new government plans to do.

Subject access requests up by 25% as employees seek to see HR files

Elaine Edwards has an interesting report from the Irish Computer Society Annual Data Protection Conference:

THE NUMBER of complaints from people seeking access to personal information held on them increased last year due to the economic downturn, with many people concerned about potential or actual dismissal from their jobs.

Data Protection Commissioner Billy Hawkes said yesterday the top item for complaints to his office in 2010 was about failure to respond adequately to requests for access to personal data.

Individuals have a right under the Data Protection Acts to be given this data. “In past years, the top spot was always occupied by unsolicited direct marketing,” Mr Hawkes said. “I think with the economic downturn we are currently suffering, we’ve seen increasing use of the right of access by people who are fearful that they are going to lose their jobs or, who sometimes may have lost them.

“They are using the right of access to see what exactly is going on in relation to them within a particular organisation, or to see was it justified that they should have been picked out for dismissal from the company.”

Daragh O'Brien has also put up a screencast of his presentation at that conference.

Update: Elaine Edwards has more from the conference here, discussing the need for reform of data breach reporting.

Judge's report reveals allegations that Garda used phone records to spy on her ex

Mark Tighe has an important story in today's Sunday Times about apparent abuse by a garda of the data retention system. Unfortunately it's behind a paywall, but I've taken the liberty of scanning the hardcopy and placing it here as it raises a number of fundamental questions about the safeguards which are in place against abuse and the likelihood of further abuse now that the 2011 Act has extended data retention to internet use also.

Garda accused of bugging her ex-boyfriend

Mark Tighe

A FEMALE garda suspected of obtaining the phone records of her ex-boyfriend has been reported as the first person who may have breached phone-tapping rules introduced in legislation in 1993.

The case is highlighted in a report prepared by Iarfhlaith O'Neill, a High Court judge designated to monitor the state's phone-tapping activities.

Security sources say that the case involves a garda who was stationed in the force's crime and security division, which carries out spying and intelligence services. The garda is accused of obtaining phone records of her former boyfriend to track his movements and activities after they separated. The man became suspicious and complained to gardai because his ex-girlfriend allegedly knew s details of calls he had made.

In a report to the Oireachtas earlier this month, O'Neill said that he investigated a number of alleged breaches of Section 64(2) of the Criminal Justice (Terrorist Offences) Act 2005. Under Section 64(2) no garda below the rank of chief superintendent can request an individual's phone records from a service provider to aid investigations of criminal offences.

O'Neill said: "These breaches are alleged to have been committed by a member of An Garda Siochana."

"As a result of my investigations, I was concerned that these breaches may have occurred. These alleged breaches are now the subject matter of a criminal investigation and also disciplinary proceedings under the garda disciplinary code."

O'Neill said that the extent of the alleged non-compliance with the 2005 Act had been "rigorously investigated and fully understood". He said all appropriate steps had been taken to ensure future compliance with the act.

The rest of O'Neill's report states that on November 18 last year he attended garda headquarters, then army headquarters in McKee Barracks and later the Depart¬ment of Justice offices on St Stephen's Green.

In each location he reviewed documents relating to phone tapping and phone records and spoke to people involved in the operation of the act. He said that all his queries were answered to his satisfaction.

"As a result of the forgoing, I am satisfied that there is, as of the date of this report (November 26, 2010) full compliance with the provisions of the above acts," he said.

A spokesman for the Data Protection Commissioner (DPC) said that gardai had informed it of the apparent data breach last June.

Gardai refused to comment on the case.

Gardai and the Department of Justice have refused to release details of how many requests for phone records or how many phone taps are authorised each year. They say that such information is sensitive.

The Labour party has called for a review of the powers given to gardai to access personal records and said they should only be used in exceptional circumstances.

In 2007 the DPC said that, based on audits of phone companies, it estimated gardai were making 10,000 requests for citizens' phone records each year. Security sources say the figure is now likely to be closer to 15,000 as gardai regularly seek phone records to aid investigations.

Despite its resistance to publishing details about requests to access the phone records of private citizens, Ireland may be forced to do so by a 2009 European Council directive.

The directive requires member countries to legislate to provide their data protection commissioners with the number of requests made for phone records and the legal justification invoked.

Some quick thoughts:

The references to bugging and phone-tapping are misleading - what is alleged here (as I understand it) is that the garda accessed the phone records of her ex rather than actually listened to the contents of telephone calls.

There are, unhelpfully, no details given in the report as to how the abuse came to light or what changes will be made in future to prevent further abuses. (Continuing a fine tradition of opacity.) But a number of questions spring to mind.

When did the alleged abuse take place, and how long did it take before it was uncovered? Was the abuse discovered purely by chance? Is there an adequate internal audit trail of requests which are made? If so, who is responsible for reviewing that trail? Does the designated judge access a sample of requests from the preceding year to ensure that the surveillance was appropriate? If the designated judge will not provide this level of detail in the annual report then the Minister for Justice must do so to the Oireachtas if the public are to have confidence in this system. While the particular details of this case cannot be discussed until any criminal trial is concluded, it is remarkable that there is absolutely no discussion of the systems-level controls which are (or are not) in place.

Finally, when data breach notification is finally introduced as a legal obligation (whether under the revised e-Privacy Directive or the Data Protection Commissioner's Code of Practice) will it include a right to be notified of this type of breach also? Note that the Directive appears to impose a notification obligation on telcos only.

For more background on the allegations behind this story, see this Mail on Sunday piece from last year.

Irish local government says open source software not just for "sandal-wearers"

According to today's Irish Times, the Local Government Computer Services Board is moving towards open source software:

THE LOCAL Government Computer Service Board, a flagship Microsoft client, is moving to open-source software after nearly 10 years of allegiance.

The public sector body provides shared ICT services to local government and was a pioneering exponent of SharePoint, the Microsoft web-based product that is used as an intranet by many of the country’s 33 councils.

In 2001, the board signed a landmark €10 million contract with Microsoft, licensing end-to-end software from desktop to database for use across local government. It was renewed in 2005, but only after assistant director Tim Willoughby looked at the open-source alternatives.

At the time he expressed a reluctance to entrust local government IT platforms to a “sandal-wearing” community, preferring the level of support offered by Microsoft.

A number of factors have convinced Willoughby that the time is right to make the move, not least the fact that the computer service board has seen a 15-20 per cent cut in its IT spend and must make funds go further.

Interestingly, Willoughby also states that data portability was a factor in the decision - "we don’t want our data to be stuck in old infrastructure where we have to pay somebody to get it out".

The relevant request for information is available on eTenders.

The Local Government Computer Services also has a blog on open source software, which includes presentations from a recent local authority forum discussing issues associated with a move to open source.

For background on the relatively slow takeup of open source within the Irish government see this 2008 article from Pearse Ryan and Andy Harbison (PDF).

Importation and sale of mobile phone jammers now an offence

Comreg watchers will be interested to learn that it has today issued the catchily-titled Prohibition of Sale, Letting on Hire, Manufacture, and Importation of Wireless Telegraphy Interference Apparatus Order 2011. The statutory instrument does what it says on the tin, and makes it a criminal offence to import, sell, etc. jamming devices - in particular mobile phone jammers.

I'm not sure what prompted this action now (growing numbers of cheap jammers being imported via Hong Kong sites?) though it does plug a gap which was recognised as far back as 2004 when a Comreg consultation on mobile phone interceptors pointed out that the use but not the sale, etc. of jammers was illegal (Consultation Document | Response to Consultation).

Incidentally, there is an overlap here with offences under the European Communities (Electromagnetic Compatibility) Regulations also, as by their nature jammers cause excessive electromagnetic interference and so could not be lawfully put on the market.

(h/t Ronan Lupton)

Want to know how much your neighbour owes on his credit card? Try the Companies Registration Office

Edited 21/2/11: The story behind this post has since been removed from the Sunday Business Post from its site and a clarification printed:

In an article published on February 13 under the headline "Debtors’ personal details posted online by debt collection firm", we said that Cash Flow Services (CFS) had made personal details of almost 1,100 credit card holders available on the internet, through the Companies Registration Office.

We have been asked to point out, and are happy to clarify, that neither CFS nor any party acting on its behalf listed the names or outstanding debts of MBNA customers in any documents filed in the Companies Registration Office, nor did CFS post any debtors’ personal details online.

The Sunday Business Post apologises to CFS and its directors for any misunderstanding or confusion caused.

The ISPAI are looking for a legal intern

This looks like an interesting job for a newly-minted law graduate:

ISPAI – The Internet Service Providers Association of Ireland Limited

ISPAI is the Industry Association that represents businesses operating in Ireland that provide publicly available Internet infrastructural and electronic services to customers both in Ireland and abroad. The Association deals with regulatory and legal issues which potentially impact the ISP business environment and affect all our members (see: www.ispai.ie). As part of this, ISPAI coordinates ISP industry self-regulation, administers the industry code of practice and ethics and runs the Hotline.ie service which supports ISPAI members to comply with Irish/EU law to respond to notices of illegal content and to assist international cooperation in this area.

ISPAI offers an intern opportunity for a post-graduate legal student who has a specific interest in the area of telecommunications and digital media law. This is a highly dynamic area with many new initiatives emerging as legislators, law enforcement and various lobbying groups realise the ubiquitous nature of the Internet and its role in shaping modern society. This is a unique opportunity to gain experience and to work with leading companies in the industry. It is strongly recommended for those intending to practise in this area.

It is intended that the selected Intern will follow proposed measures, draft legislation and other issues potentially affecting the ISP industry which are being developed at EU and national level. They will be expected to liaise with the EuroISPA secretariat in Brussels (see: www.euroispa.org) and ISP organisations. The internship will entail European travel to selected meetings or conferences

The Intern will be expected to undertake research on the issues they will be assigned to monitor and write briefings for the internal information of ISPAI secretariat and members. They will also work closely with ISPAI staff to promote our views through our websites and develop press releases.

The internship will be of at least 9 months duration. It will be based in our offices located opposite the Sandyford Luas station in South Dublin. Working within the small ISPAI team, the Intern will report to the ISPAI General Manager. They will be expected to work at least three days per week. The position offers good opportunities for self-development and interaction with international counterparts.

The successful applicant must demonstrate:

• A reasonable knowledge of using various Internet services (web, peer to peer, etc.) and methods used in web based services and be proficient using Microsoft Office products such as Word, Powerpoint and Excel.
• Familiarity with the legal issues surrounding the internet in Ireland, such as the E-Commerce Directive, online defamation and/or "three strikes" and similar systems. The successful applicant must have a law degree and is likely to have taken at least one module covering related issues.
• Good verbal, presentation and writing skills which are essential. Proficiency in a major European language in addition to English would be an advantage.
• A diligent and accurate approach to completing tasks and an ability to work to deadlines with minimal supervision.

Training on technical principles of Internet communications and digital content distribution will be given. Please note: this internship will involve possible exposure to information relating to assessments of potentially illegal pornographic imagery and other content, within the context of ISPAI Hotline.ie operations. This is indemnified under strict procedures agreed with Government and overseen by the Department of Justice and Law Reform, Office for Internet Safety (www.internetsafety.ie) and approved by An Garda Síochána.

Expenses will be given for travel, accommodation and subsistence for approved work-related activities outside the office and a nominal stipend will be available.

Please provide by email to legalintern2011@ispai.ie, your CV and a covering letter of no more than one A4 page explaining why you should be awarded the Internship.

Closing date for applications: Tuesday 15th February 2011.

Finance Bill taxes internet betting sites - will this lead to blocking of offshore sites?

In my last post I looked at the possible implications of the Finance Bill for Irish computer crime and data protection laws. I missed, however, another important aspect of the Bill, which is that it will extend betting duty to internet betting sites. (In my defence, I didn't read all 223 pages of the Bill and don't plan to do so any time soon. The relevant provision is s.46, at p.186.)

According to the Taoiseach, this extension of duty will be matched by a new requirement that offshore providers obtain a licence to offer their services in Ireland:

The Government will introduce legislation to ensure that overseas betting providers comply with a licensing regime that will permit them to sell their products into our jurisdiction.

So what happens if the offshore providers decide not to play ball? It might not be a coincidence that the Department of Justice has been considering the introduction of internet filtering for some time now - and officials in the Department's Gaming Control section have been taking part in this discussion (PDF released under FOI - see item 49). I can't help but suspect that there will be calls for ISPs to block access to offshore sites which don't pay this new tax - and there have been some European developments in this direction already.

Watch this space.

Finance Bill 2011 - impact on Irish data protection and computer crime law

I'm indebted to Rossa McMahon and Daragh O'Brien for pointing out (via Twitter) two interesting provisions in the Finance Bill 2011 (PDF).

Section 71 creates a new revenue offence of possessing or using computer tools for the purpose of evading tax:

71.—Section 1078 of the Principal Act is amended in subsection (2), by inserting the following after paragraph (b): "(ba) knowingly or wilfully possesses or uses, for the purpose of evading tax, a computer programme or electronic component which modifies, corrects, deletes, cancels, conceals or otherwise alters any record stored or preserved by means of any electronic device without preserving the original data and its subsequent modification, correction, cancellation, concealment or alteration,
(bb) provides or makes available, for the purpose of evading tax, a computer programme or electronic component which modifies, corrects, deletes, cancels, conceals or otherwise alters any record stored or preserved by means of any electronic device without preserving the original data and its subsequent modification, correction, cancellation, concealment or alteration,".

This would appear to cover a wide range of software and hardware, including encryption and steganography software and secure deletion tools. (Though not the encryption of the Anglo files, unless it could be shown that those files were encrypted for the purpose of evading tax.)

Section 73, meanwhile, creates what is in effect a parallel data protection system for the Revenue. Although too long to quote in full, an interesting aspect is that it creates a new offence of unauthorised disclosure of information:

(2) All taxpayer information held by the Revenue Commissioners or a Revenue officer is confidential and may only be disclosed in accordance with this section or as is otherwise provided for by any other statutory provision.

(3) Except as authorised by this section, any Revenue officer who knowingly—
(a) provides to any person any taxpayer information,
(b) allows to be provided to any person any taxpayer information,
(c) allows any person to have access to any taxpayer information, or
(d) uses any taxpayer information otherwise than in the course of administering or enforcing the Acts,

shall be guilty of an offence and shall be liable —
(i) on summary conviction to a fine of €3,000, and
(ii) on conviction on indictment to a fine of €10,000.

I wonder whether this amendment may have been prompted by the publicity attached to these recent examples of wrongdoing by Revenue staff.

Cloud computing complications costing Celtic companies

The lack of an appropriate regulatory environment, standard due-diligence checklists, and standard SLAs are an economic barrier to vibrant young technology companies providing cloud-based technology solutions to enterprises that need a greater level of protection than is currently on offer. The costs of developing such offerings and dealing with due-diligence queries and contract negotiations may be beyond the financial resources of a start-up.

Professional service providers who wish to avail of the efficiencies of cloud services may decide that they are not equipped to conduct due diligence or agree SLAs without the help of specialist consultants. This is an impediment to Irish businesses reducing their costs and increasing their competitiveness through the adoption of cloud technologies.

Reamonn Smith (solicitor and member of the Law Society's Technology Committee) argues for "a clearer regulatory and legal environment" in relation to cloud computing in the Law Society Gazette (PDF, p.24).

Data breach notification - ENISA study released

ENISA - the European Network and Information Security Agency - has just published a study (PDF) on data breach notification. The research was carried out as part of the process of implementing the notification requirement in the revised e-Privacy Directive, and aims to develop consistent guidelines throughout Europe for the technical and procedural issues surrounding breach notification. Some highlights from the summary (text in [brackets] is my own interlineation):

[Views of telecoms operators]

The telecommunications sector recognises that data breach notifications have an important role in the overall framework of data protection and privacy. Nevertheless, operators are seeking support and guidance on an EU and local level over a number of issues, which if clarified, would better enable European service providers to comply effectively with data breach notification requirements. Key concerns raised by telecom operators include the following:

● Risk prioritisation – The seriousness of a breach should determine the level of response. In order to prevent ‘notification fatigue’ for both the operator and the data subjects, breaches should be categorised according to specific risk levels.

● Communication channels – Operators want assurances that notification requirements will not negatively impact their brands. It is important for operators to maintain control of communications with relevant data subjects, as much as possible, to ensure that operators can effectively manage any impact on brand perception brought about by the data breach and subsequent notification.

[If operators want to avoid negative impact on their brands it might be more productive to avoid data breaches in the first place.]

● Support – In preparation for mandatory notification requirements, operators are looking for support in terms of guidance on procedures. In particular, guidance should provide a methodology for categorising types of private data and combinations of private data, as well as how to proceed with notifications based on the level of risk attributed to each breach.

[Views of Data Protection Authorities]

Data protection authorities (DPAs) take varied approaches to enforcing data protection and privacy. Some follow EC Directives closely, while others take on additional responsibilities beyond those outlined in the Directives. Although there are exceptions, the majority of DPAs surveyed in this study support mandatory notifications for telecom operators. Those that did not support mandatory notifications mostly indicated that budgetary limitations were a key factor in influencing their opinion. As notifications are not yet mandatory in most countries, regulatory authorities have little experience in handling notifications. Since regulatory authorities have a number of responsibilities, there are concerns that additional duties must not interfere with pre-existing responsibilities. Notifications are not viewed as a number one priority for most authorities. A smooth transition to mandatory notifications will consequently depend on a resolution to a number of factors, outlined here:

● Resources – Budgetary allocations for regulatory authorities should reflect new regulatory responsibilities. Concern has been raised that resources at some regulatory authorities are already occupied with other priorities. Bandwidth for additional responsibilities is limited.

● Enforcement – DPAs indicated that sanctioning authority enables them to better enforce regulations. Data controllers will be less incentivised to comply with regulations if regulatory authorities do not have sufficient sanctioning powers. Some authorities indicated that financial penalties are seen as the most effective tool for pressuring data controllers to comply, while others indicated that public criticism and black lists could be effective too.

● Relevant authorities – Local legislation will determine who the relevant authority is for regulating data breach notifications in the telecommunications sector, when mandatory notification requirements are transposed into local legislation. Although many data protection authorities indicated they are communicating effectively with other authorities already, it is important for legislation to clearly delineate relevant responsibilities, in order to mitigate or prevent potential conflicts.

● Technical expertise – In some cases, businesses have a high level of technical sophistication, which allows them potentially to conceal valuable information regarding breaches from regulatory authorities, which do not have comparable resources and expertise. Hiring new staff with relevant expertise is important in order for regulatory authorities to remain effective.

● Awareness raising – A high public profile is an important element in demonstrating the influence of regulatory authorities. A common strategy in communicating the importance of data protection to the public could be useful in better educating data subjects about their privacy rights, and the role of notifications in the overall framework of data protection.

[Areas of conflict]

Smooth implementation of data breach notification procedures requires close cooperation between data controllers at the service providers and the relevant regulatory authorities. While most operators and regulatory bodies surveyed recognise the importance of notifications, there are a number of issues where interests of the parties involved might conflict.

● Undue delay – Regulatory authorities want to see a short deadline for reporting breaches to authorities and data subjects, in order to prevent controllers from concealing evidence and also to give data subjects ample time to protect themselves. Service providers, however, want their resources to be focused on identifying if the problem is serious and solving the problem, instead of spending time reporting details, often prematurely, to regulatory authorities.

[This is an important point which is sometimes overlooked. In some breaches - such as those of credit card details - it will be essential that individuals be notified immediately so that they can e.g. cancel cards. Other breaches - such as those of healthcare information - may be just as serious but aren't likely to be as time sensitive. However, the fact that the affected individuals may not need to be notified immediately must not become an excuse for failure to notify the relevant DPA as soon as possible.]

● Traffic monitoring – Private data belonging to employees or customers running over a corporate network remain a challenging issue for both regulatory authorities and operators. Telecom operators are often requested to monitor and analyse traffic data on behalf of their customers, particularly in cases where companies want to monitor the actions of their employees. In this context, regulatory authorities see traffic monitoring as a privacy risk, due to the fact that employers may be exchanging private information on the corporate network, to which the employers would then have access.

● Content of notifications – The content of the notifications can have a direct impact on customer relations and retention. Operators want to make sure that the content of the notifications does not impact negatively on customer relations. Regulatory authorities, however, want to see that the notifications provide the necessary information and guidance in line with the rights of the data subjects.

● Audits – One service provider indicated that it performed its own security audits internally, with the aim of detecting and solving any potential vulnerabilities that could result in data breaches. The operator believed that its internal expertise were sufficient to ensure it was using the latest techniques for securing data and compliance with regulations, suggesting its expertise surpassed that of the national regulatory authorities. Regulatory authorities, however, indicated that their ability to perform audits and spot checks provides the authority necessary to enforce compliance.

[Extension of notification to other sectors]

While the recent telecoms reforms make notifications mandatory for telecom operators, there remains ongoing debate about extending mandatory notifications to other sectors.

● Telecommunications operators: In comparison to other sectors, regulatory authorities indicated that telecommunications operators ranked high in terms of their security measures and ability to limit data breaches.

Telecom operators have at their disposal some of the top networking, communications and security experts. But this is true mostly for the larger operators. Smaller alternative operators and local ISPs do not necessarily have resources comparable to the large international companies and incumbent operators.

● Finance sector: Finance institutions are considered to be at great risk, due to the sensitive nature of the data they possess. Nonetheless, financial institutions are already subject to regulations across Europe, with regulations being enforced by various bodies, including central banks. Consequently, extending data breach requirements to financial institutions would require careful coordination with other responsible authorities, which may already require incidents of data breaches to be reported.

● Healthcare: Data protection authorities regularly pointed to the healthcare sector as an area of high risk. Due to the large amount of very sensitive private data stored on doctors’ and nurses’ laptops, which are often unencrypted, there is high risk for exposure or leaks.

● Small businesses: Small businesses pose a major challenge. Collectively, they have a lot of personal data, but individually they do not have resources or know-how to secure their data. Due to the sheer number of small businesses, regulation would prove challenging. Educating and making businesses aware would require significant efforts and resources. As more and more small businesses develop online strategies, the risk for exposure is increasing.

Job opportunity: Privacy and surveillance

I received a very interesting job opportunity in my inbox this morning, which might be of interest to some readers of this blog:

Senior Research Analyst

Trilateral Research & Consulting, a London-based consultancy, specialising in research and the provision of strategic, policy and regulatory advice on new technologies, privacy, trust, surveillance, risk and security issues is seeking to engage a Senior Research Analyst to work on one or more new projects. Specific duties of the position include:

• Performing research work related to current projects, writing reports or sections of reports and developing other deliverables as required to fulfil contractual obligations.
• Researching and writing content for grant proposals and tender submissions.
• Writing content for peer-reviewed journal articles and book chapters, as part of projects, or as an outgrowth from projects.
• Attending and/or presenting at some project-related meetings, involving some level of travel outside the UK.

 Preferred candidates will be based in the UK, will have English as their native language and will have recently completed a PhD in an area of study related to security, privacy, data protection, surveillance or a related field.

Contact:
David Wright
Managing Partner
Trilateral Research & Consulting
www.trilateralresearch.com
david.wright@trilateralresearch.com

or

Kush Wadhwa
Senior Partner
Kush.wadhwa@trilateralresearch.com

Protecting a .ie domain: hacking, hijacking and heedlessness

This summary is not available. Please click here to view the post.

Firms hampered by failure to keep law up to date with internet age

I have an opinion piece in today's Irish Times arguing that the Taoiseach's recent comments about reform of copyright law create an opportunity for wider reform. Unfortunately, the Irish Times doesn't allow inline links, so here's a version with relevant links included:

Firms hampered by failure to keep law up to date with internet age

Much of the Irish law governing the internet is archaic, restrictive and hampers growth, writes TJ McIntyre

IN A speech this week, the Taoiseach announced support for a review of European and Irish copyright law, stating “it is time to review our copyright legislation, and examine the balance between the rights holder and the consumer, to ensure that our innovative companies operating in the digital environment are not disadvantaged against competitors”.

This is a welcome development for the Irish internet industry, which has argued for some time that copyright reform would be desirable.

It follows a seminar last month, hosted by Digital Rights Ireland, Google and the Institute of International and European Affairs, where speakers from businesses such as Boards.ie, UPC and Google pointed out the practical problems copyright laws can create.

In particular, one of the reasons why the US has been so successful at encouraging internet innovation is that US copyright law includes a doctrine known as fair use. This permits the use of portions of a copyrighted work so long as the normal economic exploitation of the work is not undermined.

Irish law, by comparison, has no equivalent to the flexible doctrine of fair use.

Instead, there is a finite and restrictive list of exceptions to copyright, hampering the ability of Irish businesses to develop new forms of internet services.

Reform of the law – if it addresses this and similar issues – will help promote the growth of new businesses in this area and avoid the loss of jobs to more internet-friendly jurisdictions, such as the US.

However, this is not a uniquely Irish development. It follows action at European Union level and in other countries such as Britain. Last month, David Cameron said UK copyright laws were out of date and needed to be reviewed to “make them fit for the internet age”.

The Irish Government will have to move quickly to avoid falling behind Britain and other European bodies that have taken the initiative in this area.

It will also be important that copyright not be considered in isolation, as it is just one of a number of areas where Irish businesses have been hampered by a failure to keep the law up to date with the internet.

After a flurry of activity leading up to the Electronic Commerce Act 2000, there has been relatively little reform since.

Consequently, much of the Irish law governing the internet is now a decade old – an eternity in the online world – and is no longer suited for current conditions.

One of the most important areas in need of reform is defamation. A significant risk faced by Irish internet companies is that of being sued for what users say. Under the law as it stands, businesses such as online forums, auction sites and even search engines face a real likelihood of legal action being brought against them, even though they were in no way responsible for what was said and behaved reasonably.

European law does recognise the injustice of this, and provides some protection for these intermediaries. Ireland, however, has adopted a very limited implementation of this European law, so Irish online businesses are much more exposed than those in other jurisdictions.

Remarkably the Defamation Act 2009 ignored proposals for reform of the law in this area.

If the Taoiseach is to succeed in his stated aim of ensuring that Irish businesses are not disadvantaged against competitors, then it will be important to tackle online defamation also.

EU Internal Security Strategy Published

The Commission has just published an internal security strategy document setting out a four year plan for European level action on the issues of "fighting and preventing serious and organised crime, terrorism and cybercrime, strengthening the management of our external borders and building resilience to natural and man-made disasters."

While the entire plan is likely to be controversial (and the sections on border control have already been criticised), I'd like to focus on the section on cybercrime and to offer a few thoughts:

Action 1: Build capacity in law enforcement and the judiciary

By 2013, the EU will establish, within existing structures, a cybercrime centre, through which Member States and EU institutions will be able to build operational and analytical capacity for investigations and cooperation with international partners. The centre will improve evaluation and monitoring of existing preventive and investigative measures, support the development of training and awareness-raising for law enforcement and judiciary, establish cooperation with the European Network and Information Security Agency (ENISA) and interface with a network of national/governmental Computer Emergency Response Teams (CERTs). The cybercrime centre should become the focal point in Europe's fight against cybercrime.

At national level, Member States should ensure common standards among police, judges, prosecutors and forensic investigators in investigating and prosecuting cybercrime offences. In liaison with Eurojust, CEPOL and Europol, Member States are encouraged by 2013 to develop their national cybercrime awareness and training capabilities, and set up centres of excellence at national level or in partnership with other Member States. These centres should work closely with academia and industry.

The recommendations for action at EU level are welcome, but unfortunately Ireland has a long way to go to meet the recommendations for action at national level. I've written about the failings in the Irish response to cybercrime recently in the Sunday Business Post.

Action 2: Work with industry to empower and protect citizens

All Member States should ensure that people can easily report cybercrime incidents. This information, once evaluated, would feed into national and, if appropriate, the European cybercrime alert platform. Building on the valuable work under the Safer Internet Programme, Member States should also ensure that citizens have easy access to guidance on cyber threats and the basic precautions that need to be taken. This guidance should include how people can protect their privacy online, detect and report grooming, equip their computers with basic anti-virus software and firewalls, manage passwords, and detect phishing, pharming, or other attacks. The Commission will in 2013 set up a real-time central pool of shared resources and best practices among Member States and the industry.

Cooperation between the public and private sector must also be strengthened on a European level through the European Public-Private Partnership for Resilience (EP3R). It should further develop innovative measures and instruments to improve security, including that of critical infrastructure, and resilience of network and information infrastructure. EP3R should also engage with international partners to strengthen the global risk management of IT networks.

The handling of illegal internet content – including incitement to terrorism – should be tackled through guidelines on cooperation, based on authorised notice and take-down procedures, which the Commission intends to develop with internet service providers, law enforcement authorities and non-profit organisations by 2011. To encourage contact and interaction between these stakeholders, the Commission will promote the use of an internet based platform called the Contact Initiative against Cybercrime for Industry and Law Enforcement.

Much of this is uncontentious, but the references to handling illegal internet content require careful scrutiny. The "guidelines on cooperation" and "notice and takedown procedures" reflect a worrying trend at EU level towards bringing about internet censorship by means of self-regulation. The result is that decisions about legality are being made in a way which doesn't have a legislative basis and excludes judicial oversight. This trend can already be seen in relation to internet filtering but this strategy, if implemented, would seem to extend it significantly further. It is hard to see how this proposal could be compatible with Article 10 of the European Convention on Fundamental Rights.

Action 3: Improve capability for dealing with cyber attacks

A number of steps must be taken to improve prevention, detection and fast reaction in the event of cyber attacks or cyber disruption. Firstly, every Member State, and the EU institutions themselves should have, by 2012, a well-functioning CERT. It is important that, once they are set up, all CERTs and law enforcement authorities cooperate in prevention and response. Secondly, Member States should network together their national/governmental CERTs by 2012 to enhance Europe's preparedness. This activity will also be instrumental in developing, with the support of the Commission and ENISA, a European Information Sharing and Alert System (EISAS) to the wider public by 2013 and in establishing a network of contact points between relevant bodies and Member States. Thirdly, Member States together with ENISA should develop national contingency plans and undertake regular national and European exercises in incident response and disaster recovery. Overall, ENISA will provide support to these actions with the aim of raising standards of CERTs in Europe.

The Irish CERT body (IRISS) does not have any state funding at present - will this recommendation encourage the Irish government to provide funding?

Legal issues for mobile marketing

Peppe Santoro of Eversheds O'Donnell Sweeney has just placed a very comprehensive and useful presentation on this topic on Slideshare:

Strongly recommended.

More developments on defence access to breathalyser source code

I've blogged before about whether a defendant in a drink driving charge is entitled to examine the source code to the breath testing machine, and there's been a High Court decision on this point since then, but this issue has recently cropped up yet again in the form of an interesting decision of the Information Commissioner.

In Case 080260 - Mr. W & The Medical Bureau of Road Safety (MBRS) the applicant sought to use a FOI request to the Medical Bureau of Road Safety to obtain (amongst other things) the source code relating to a "Lion Intoxilyzer 6000 IRL". The decision of the Information Commissioner addressed a number of important issues - including whether FOI could be used to "provide a parallel system whereby the defence could obtain what is in effect disclosure in a criminal case" - but in relation to the source code the Commissioner had this to say:

It is my understanding that the term "source code" refers to high level code, the disclosure of which would allow the development of competing products. I therefore accept that the source code at issue in this case qualifies as a trade secret within the meaning of section 27(1)(a) of the FOI Act. I also consider that, on balance, the public interest would not favour release, particularly if the testing, maintenance and repair records are made available. As Ms. Campbell stated, court procedures must be considered adequate to ensure the fairness of any criminal proceedings under the Road Traffic Acts.

I also accept that a duty of confidence would be owed to Lion Laboratories in the circumstances. Moreover, I note that evidence was submitted in the case stated by Judge Mary Devins in DPP v. O'Malley [2008] IEHC 117 to show that the MBRS is contractually prohibited from disclosing the source code to any third party. In the circumstances, I am satisfied that the source code is exempt under section 26(1)(b) as well as section 27(1)(a) of the FOI Act.

While this may be the correct result in the context of FOI, when taken together with the decision in DPP v. O'Malley it seems to leave defendants in drink driving cases with no effective means of challenging the inner workings of the machines used to convict them, and may potentially lead to an injustice. As a fundamental principle of law, if a person is to be convicted based on the "testimony" of a machine then that person should have the right to challenge the process by which the machine generates that "testimony" - something which may require inspection of the source code. As things stand however it seems that there's no route in Irish law for that to be done.

Advertising standards, the internet and "ghost and entity removal"

There was some publicity recently about the fact that the UK Advertising Standards Authority is to extend its remit to cover online advertising also. Surprisingly, however, there appeared to be very little awareness of the fact that the Advertising Standards Authority of Ireland has explicitly covered internet advertising since 2001. (Rather than 2009, as the Sunday Business Post suggested.)

To honour this long record of regulating internet advertising, I thought I'd share a recent ASAI decision on internet advertising- one which considered amongst other things "Shamanic Healing", "Angel Therapy" and - best of all - "Ghost and Entity Removal". The complaint related to an Irish website Seventh Heaven Healing and the variety of "spiritual" services it offered. According to the decision, "the complainant challenged all the claims in relation to distant healing and medical advice from the spirit world. He questioned the ability to arrange for divine intervention and requested that proof be provided for all claims."

Perhaps unsurprisingly, the ASAI wasn't persuaded by the website owner's claims that she could not prove her "claims on healing an individual without disclosing personal information about the people in question" and that "as a medical intuitive she uses her mediumship ability to help individuals remove energy blocks on an energetic scale". Consequently it ordered that "the advertisement must not run in its current format again".

As to how effective that ruling has been, judge for yourself at seventhheavenhealing.net. (Warning - autoplay saccharine music.) Or, if you're in a hurry, jump straight to the "Ghost and Entity Removal" page.

For a related ASAI ruling on "powerful energy over the phone" and "healing" in relation to cancer and "sick babies" see this decision.

Police access to encrypted files: Does the Anglo case show up a gap in the legislation?

According to today's Irish Independent the Anglo investigation is being held up by encrypted files:

Gardai are unable to examine more than 100 key files in their investigation into Anglo Irish Bank because former senior executives have not handed over the computer passwords.

Former Anglo staff hold passwords to about 200 documents vital to the inquiries being carried out jointly by the Garda Fraud Bureau and the Director of Corporate Enforcement.

The passwords for around a third of the encrypted documents have been produced so far by the bank. But Anglo admitted it has been unable up to now to secure the rest.

Among the former employees being contacted by Anglo to establish if they have knowledge of the missing passwords is its ex-chairman Sean FitzPatrick.

Gardai are using state-of-the-art technology to crack the password puzzle and are confident they will be able to gain access to all of the key documents.

But they indicated yesterday that the absence of the passwords was one of the factors which have delayed the completion of their inquiries.

In light of this story it might be worth considering the legal position governing police access to such files and whether or not the former bank officials mentioned might be compelled to assist in decrypting them.

Background

Irish law generally doesn't require disclosure of passwords or private keys to police - see e.g. section 28 of the Electronic Commerce Act 2000. (This is in contrast to the position in the UK, where there is a wide power to order key disclosure and it is an offence to fail to disclose - see here for an example of such an order.)

However, there are specific Garda powers under the Criminal Justice (Theft and Fraud Offences) Act 2001 which are relevant. Will they apply to the facts of this particular case?

Search warrants

The first power is contained in section 48 of the Act, which deals with search warrants and provides that:

A member of the Garda Síochána acting under the authority of a warrant under this section may—

(a) operate any computer at the place which is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and
(b) require any person at that place who appears to the member to have lawful access to the information in any such computer—

(i) to give to the member any password necessary to operate it,
(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or
(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.

Consequently search warrants under this section can have the effect of requiring individuals to provide passwords or to decrypt information (to provide it in a "visible and legible" form). However, this power wouldn't apply in the context of the Anglo investigation insofar as it only applies to any "person at the place which is being searched". Former bank employees who are sipping brandy at home can't be required to assist in the decryption process.

Evidence orders

At first glance, the section 52 power would appear to be more promising. That section provides that:

(2) A judge of the District Court, on hearing evidence on oath given by a member of the Garda Síochána, may, if he or she is satisfied that—

(a) the Garda Síochána are investigating an offence to which this section applies,
(b) a person has possession or control of particular material or material of a particular description, and
(c) there are reasonable grounds for suspecting that the material constitutes evidence of or relating to the commission of the offence,

order that the person shall—

(i) produce the material to a member of the Garda Síochána for the member to take away, or
(ii) give such a member access to it,

either immediately or within such period as the order may specify.

(3) Where the material consists of or includes information contained in a computer, the order shall have effect as an order to produce the information, or to give access to it, in a form in which it is visible and legible and in which it can be taken away.

As with the section 48 power, this includes a power to require a person to decrypt information (though not to require a person to provide a password or key). Again, however, it wouldn't seem to apply to former bank officials. The order to produce and/or decrypt evidential material applies where a person has certain material in their "possession or control". This wouldn't seem to stretch to the situation where the material - the file - is located on bank premises and as such isn't in the possession or control of the former bank official.

Other statutory powers?

Sections 48 and 52 of the 2001 Act are not the only statutory powers to provide for passwords to be handed over or information to be decrypted. Similar powers are contained in section 16 of the Proceeds of Crime Act 1996 (as amended by the Proceeds of Crime (Amendment) Act 2005) and several other pieces of legislation. However, these powers all appear to be modelled on the 2001 Act and consequently would fall foul of the same problems if applied to a person who is not at the scene or does not have possession or control of the material in question.

Conclusion

If this analysis is correct then there would seem to be a gap in the 2001 Act powers to require decryption - while a person can be compelled to decrypt material so long as they remain in employment in a particular organisation it would seem that once they leave then they are no longer subject to these powers.

Are Norwich Pharmacal orders compatible with the Data Retention Directive?

Interesting news from Sweden, where a court has made a preliminary reference to the ECJ which calls into question the use of information held under the Data Retention Directive to identify users accused of copyright infringement. According to a report in Intellectual Asset Management:

The request for a preliminary ruling was made by the Supreme Court in a copyright litigation case between five audiobook publishers, and Perfect Communication AB, an ISP. Before the case reached the Supreme Court, the audiobook companies had requested the district court to order Perfect Communication to reveal information regarding the name and address of the registered user of a certain IP address, who was suspected of infringing copyrights in a large number of popular audiobooks...

On 25th August 2010 the Supreme Court requested a preliminary ruling from the ECJ on two questions:

* Whether the Data Retention Directive prevents the application of a national rule based on the EU IP Rights Enforcement Directive (2004/48/EC), which provides that an ISP in a civil case can be ordered to provide a copyright owner or a rights holder with information on which subscriber holds a specific IP address assigned by the ISP, from which address the infringement is alleged to have taken place.
* Whether the answer to the first question is affected by the fact that the state has not yet implemented the Data Retention Directive, although the deadline for implementation has passed.

While the full text of the reference isn't available, the ISP's case seems to be based on the interaction between the ePrivacy Directive and the Data Retention Directive. In particular it appears to argue that data stored under the Data Retention Directive should only be made available to national authorities for the purposes of that Directive - not for other, unrelated purposes (such as civil actions against filesharing). If successful, the implications would be far reaching and would at the very least require the Irish and UK courts to revisit cases such as EMI v. Eircom which deal with Norwich Pharmacal orders identifying internet users.


(My thanks to Niall Handy for pointing out this case.)

EMI v. UPC - Full judgment now available

It's been a busy few days for copyright law in Ireland. First the important decision in Koger v. HWM, and now the landmark decision in EMI v. UPC (RTÉ | Irish Times), which derailed music industry plans to compel ISPs to introduce "three strikes" in Ireland.

I'm still digesting the 82 pages of the judgment, but in the meantime here's the full text for your delectation:

EMI v. UPC

Google Transparency Report launched

The New York Times has a story today about Google's new Transparency Report. The Report - which expands on an earlier initiative - tracks government intervention on the internet and shares internal data from Google in three broad categories:

* Government inquiries for information about users;
* Government requests to remove content (both hosted content and search results); and
* Traffic flows.

In each case the data is broken down by country. In relation to the UK, for example, the map shows that for the period January-June 2010 there were:

1343 data requests
48 removal requests, for a total of 232 items; and
62.5% of removal requests were fully or partially complied with

Blogger
o 1 court order to remove content
o 1 item requested to be removed

Video
o 3 court orders to remove content
o 32 items requested to be removed

Groups
o 1 court order to remove content
o 1 items requested to be removed

Web Search
o 8 court orders to remove content
o 144 items requested to be removed

YouTube
o 6 court orders to remove content
o 29 non-court order requests to remove content
o 54 items requested to be removed

There's no data given for Ireland for the same period. This may mean one of two things - either there were no Irish requests to take down information or access user information during that period, or else (probably more likely) there were so few Irish requests that Google has chosen not to reveal the statistics. For what it's worth, during the previous six month period Google indicates that there were fewer than 10 Irish government requests to remove content, of which 50% were complied with.

The traffic flow portion of the report is new and particularly interesting - by visualising the amount of data flowing to a particular country it graphically illustrates government attempts to block access to particular sites. Here, for example, is a graph of YouTube traffic to Turkey from March 2010 onwards. The abrupt drops in traffic appear to coincide with the Turkish government's ongoing attempts to block users from viewing YouTube and other Google services.

Google must be congratulated for providing this information - along with Herdict and Chilling Effects (which is also supported by Google) the information provided will be invaluable in tracking attempts to control the flow of information on the net. However, as Lilian Edwards and Christopher Soghoian have pointed out this is still only a start - greater detail as to the types of content being targeted and the legal basis for requests is necessary to make sense of the raw numbers. Perhaps in the next revision?

Monitoring online radicalisation

I was at the fascinating Terrorism and New Media conference in DCU yesterday taking part in a panel discussion "Monitoring the Internet for Violent Radicalisation: Ethical and Legal Issues", along with Mina al Lami (LSE), Paul Durrant (ISPAI) and Sadhbh McCarthy (Centre for Irish and European Security).

The discussion was under the Chatham House Rule so I won't be putting names to views, but the other panelists and the audience had some interesting perspectives which I thought worth jotting down.

There was a definite concern that anti-terror laws (especially in the UK) may make criminals of researchers. Cases such as the recent University of Nottingham arrests have made academics increasingly nervous and uncertain as to whether they can carry out their work in a way which is compliant with the law. From a purely practical perspective (at a conference where the majority of participants were from outside Ireland) there is a fear that the contents of one's laptop might be legal in country A but not in country B.

On a related point researchers were worried as to their legal and ethical responsibilities if they find material which might provide evidence of a crime or indications that a crime might be committed in the future. For Irish researchers section 9 of the Offences Against the State Act 1998 presents particular problems, making failure to volunteer certain information to Gardaí punishable by up to five years' imprisonment unless the researcher has a "reasonable excuse" for that failure. There seems to be a relatively low level of awareness of this and other reporting obligations.

The source material for studies in this area - jihadi forums, bulletin boards, chatrooms, etc. also presented difficulties for researchers. What ethical standards apply to the use of material deliberately published for a global audience? Does it matter whether individuals have used their real name or a pseudonym? Does it matter whether material is on an open forum or requires registration? Are researchers justified in deceit as to their identity or institutional affiliation in signing up to these forums? While there has been a good deal written on these issues (well summarised here) it seemed that these points still trouble researchers.

Finally, there was a substantial consensus that existing EU practice doesn't provide adequate ethical review of research in this area. When funding decisions are being made, there is a narrow focus on legality - asking "will researchers be breaking the law?" - rather than on wider ethical questions such as "is it desirable to develop particular tools of censorship or mass surveillance?" The INDECT project was cited as a prime example of inadequate ethical review, which (perhaps not surprisingly) has led to widespread media criticism.

"It is unlikely that hackers will delay their next attack to suit the timetables of government departments"

In light of the ongoing attacks on the CAO website I argue in the Sunday Business Post that action on cybercrime and a national cybersecurity strategy are long overdue.

Putting the "Entertainment" into Media and Entertainment Law

Ever wondered what a letter from Lindsay Lohan's lawyers would look like? Perhaps you wanted to know how Britney Spears and Kevin Federline agreed to enter into a fake marriage? Or maybe you wanted to see how contestants in American Idol sign their rights away on entering the show? If so, look no further. US law professor Eric Johnson has put together an excellent compendium of materials on media and entertainment law for his courses. Unlike traditional materials, however, his compendium includes not just the (relatively staid) decisions of the courts but also dressing room requirements, the bluff and bluster of correspondence, and more. As he explains:

I'm a strong believer in assigning readings other than judicial opinions. So my compendium includes contracts, demand letters, and various litigation pleadings. These documents are especially valuable reading in entertainment law and media law, where industry custom, intimidation tactics, creative lawyering, ignorance, bullying, and fear all combine to play a role that rivals that of the law itself.